SlideShare a Scribd company logo

Redefining siem to real time security intelligence

Brendaly Marcano
Brendaly Marcano
Technology
1 of 17
Download to read offline
Redefining SIEM to Real Time Security Intelligence David Osborne Security Architect September 18, 2012
Its not paranoia if they really are out to get you • Malware • Malicious Insiders • Exploited Vulnerabilities • Careless Employees • Mobile Devices • Social Networking • Social Engineering • Zero-Day Exploits • Cloud Computing Security Threats • Cyber Espionage
Reality of Compliance • Audits happen quarterly or annually • Effort and budget spent to get compliant • Little focus or process to stay that way
SIEM – The Great Correlator • Major SIEM Functions – Collect – Normalize – Correlate • Collect log and event data from systems across the network – Security devices, applications, OS, databases, end-point protections, etc. • Normalize similar events across disparate data sources – Login events from a VPN, OS, or Application are all ―authentication events‖ • Correlate multiple events into known attack vectors or policy violations – ―Multiple failed logins followed by a success‖ indicates brute force access – Eliminates the need for an analyst to try to ―piece together‖ the event
Redefining SIEM • Security is a Process, not a Product – Each stage supports the next – A ―weak link‖ breaks the process – Tools need to automate each stage – Integration provides actionable intelligence • Legacy SIEMs are Limited – Risk Assessment — limited to VA scan data – Threat Detection — limited to event correlation – Incident Response — limited to log analysis – Compliance Reporting — limited to canned reports
SIEM is Still Evolving…To • SIEM Content Awareness (Next Generation SIEM) – Content Awareness is Understanding the Payload at the Application Layer • What is actually being Communicated, Transferred, and Shared over the Network. • Examples of ―Content‖ Awareness is the understanding of: – Email contents, including the attachments – Social, IM and P2P Network Communications – Document Contents – Application Relationships with Database Queries and Responses – Database Monitoring – Data Leakage – Sensitive Information within chat, email, printed, etc
Adding Context to Logs DNS name, Windows name, Other names? What else happened at this time? Whois info? Organization owner? Where does Near this time? the IP originate from (geo location info)? What What is the time zone? else happened on this host? Which other hosts did this IP communicate with? What is this service? What other messages did it produce? What other systems does it run on? Log record What is the hosts IP address? Who is this user? What is the users Other names? Location on the access-level? What is the users network/datacenter? real name, department, location? What is this port? Is this a Who is the admin? Is this What other events from this user? normal port for this system vulnerable to exploits? service? What else is this service being used for? What does this number mean? Is this documented somewhere?
Broad Content and Context Correlation Authentication Application & IAM Events from Contents Security Devices User Identity Device & Application Log Files Malware Insider Advanced Viruses Threats Threats Trojans Exploits Database Transactions Location OS events VA Scan Data
SIEM and Situational Awareness • SIEM DOES NOT SOLVE APT, but Provides Situational Awareness – THERE IS NO APT ―ALL IN ONE SOLUTION‖ • SIEM Can Help with Attacks – Determining the Scope of Attack • What Systems or Devices were Involved • What DATA was Compromised • What Evasion Techniques were Utilized • Timelines • Toolsets Utilized • Work Flows and Processes of Attackers – Heuristics for Historical Correlation • Even with SIEM, Security Expertise and Experience is REQUIRED – Well Trained Security Analysts, Highly Developed Security Policies and Procedures Combined with SIEM for Situational Awareness is the BEST Strategy for dealing with Exploits, Low and Slow Attacks and APT
Scalability & Performance • Unmatched Speed – Industry’s Fastest SIEM – 100x to 1,000x faster than current solutions – Queries, correlation and analysis in minutes, not hours • Unmatched Scale – Collect all relevant data, not selected sub-sets – Analyze months and years of data, not weeks – Include higher layer context and content information – Scales easily to billions of data records
NitroView Overview “Single Pane-of-Glass” McAfee ESM McAfee ELM McAfee Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available McAfee ADM McAfee DEM McAfee ACE  Application Data Monitor  Database Activity Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical Correlation Application Visibility Data Visibility Risk Scoring 100s of applications and 500+ document types Data traffic from leading databases Detect potential threats  Asset information/context  Vulnerability Information  Which assets are most at-risk 11 September 18, 2012
Global Threat Intelligence (GTI) ESM ELM Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available ADM DEM ACE  Application Data Monitor  Database Event Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical Correlation Shared Threat Intelligence Application Visibility Data Visibility Risk Scoring • Reputation-based  WW visibility into all types of cyber threats • Automatic, push feed • Today – Bad Actors/Dangerous IPs • Additional GTI capabilities: • file, web, message & network connection reputation • web categorization 12 September 18, 2012
How can SIEM help with MTTR? • Advanced Correlation uses activity to determine Risk
How can SIEM help with MTTR? • Baselines to determine deviations from normal activity
How can SIEM help with MTTR? • Normalization of events into a common taxonomy
How can SIEM help with MTTR? • Global Threat Intelligence to determine if I have any communication with external known bad actors
17

Recommended

MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENVladyslav Radetsky
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 

Recommended

MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENVladyslav Radetsky
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 
SIEM
SIEMSIEM
SIEMNapier University
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
IBM Security QFlow & Vflow
IBM Security QFlow & VflowIBM Security QFlow & Vflow
IBM Security QFlow & VflowCamilo Fandiño Gómez
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)Osama Ellahi
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceCamilo Fandiño Gómez
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Alert Logic
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enoughCloudAccess
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
SIEM
SIEMSIEM
SIEMvikasraina
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 Andris Soroka
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalManageEngine EventLog Analyzer
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center SecuritySzymon Dowgwillowicz-Nowicki
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRaffael Marty
 

More Related Content

What's hot

IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)Osama Ellahi
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceCamilo Fandiño Gómez
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Alert Logic
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enoughCloudAccess
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 Andris Soroka
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 

What's hot (20)

SIEM
SIEMSIEM
SIEM
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
IBM Security QFlow & Vflow
IBM Security QFlow & VflowIBM Security QFlow & Vflow
IBM Security QFlow & Vflow
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security Intelligence
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
SIEM
SIEMSIEM
SIEM
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 

Similar to Redefining siem to real time security intelligence

RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRaffael Marty
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOpenStorageSummit
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
Information Security
Information SecurityInformation Security
Information SecurityMohit8780
 
Bright and Gray areas of Clound Computing
Bright and Gray areas of Clound ComputingBright and Gray areas of Clound Computing
Bright and Gray areas of Clound Computingpallavikhandekar212
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgJohn M. Kennedy
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemSweta Sharma
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
Security in the Cloud
Security in the CloudSecurity in the Cloud
Security in the CloudWSO2
 

Similar to Redefining siem to real time security intelligence (20)

2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal Stern
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
 
Vormetric - Gherkin Event
Vormetric - Gherkin EventVormetric - Gherkin Event
Vormetric - Gherkin Event
 
Enterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - IntelEnterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - Intel
 
Information Security
Information SecurityInformation Security
Information Security
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
 
Bright and Gray areas of Clound Computing
Bright and Gray areas of Clound ComputingBright and Gray areas of Clound Computing
Bright and Gray areas of Clound Computing
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwg
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Security in the Cloud
Security in the CloudSecurity in the Cloud
Security in the Cloud
 
Security in the Cloud
Security in the CloudSecurity in the Cloud
Security in the Cloud
 

Recently uploaded

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Redefining siem to real time security intelligence

  • 1. Redefining SIEM to Real Time Security Intelligence David Osborne Security Architect September 18, 2012
  • 2. Its not paranoia if they really are out to get you • Malware • Malicious Insiders • Exploited Vulnerabilities • Careless Employees • Mobile Devices • Social Networking • Social Engineering • Zero-Day Exploits • Cloud Computing Security Threats • Cyber Espionage
  • 3. Reality of Compliance • Audits happen quarterly or annually • Effort and budget spent to get compliant • Little focus or process to stay that way
  • 4. SIEM – The Great Correlator • Major SIEM Functions – Collect – Normalize – Correlate • Collect log and event data from systems across the network – Security devices, applications, OS, databases, end-point protections, etc. • Normalize similar events across disparate data sources – Login events from a VPN, OS, or Application are all ―authentication events‖ • Correlate multiple events into known attack vectors or policy violations – ―Multiple failed logins followed by a success‖ indicates brute force access – Eliminates the need for an analyst to try to ―piece together‖ the event
  • 5. Redefining SIEM • Security is a Process, not a Product – Each stage supports the next – A ―weak link‖ breaks the process – Tools need to automate each stage – Integration provides actionable intelligence • Legacy SIEMs are Limited – Risk Assessment — limited to VA scan data – Threat Detection — limited to event correlation – Incident Response — limited to log analysis – Compliance Reporting — limited to canned reports
  • 6. SIEM is Still Evolving…To • SIEM Content Awareness (Next Generation SIEM) – Content Awareness is Understanding the Payload at the Application Layer • What is actually being Communicated, Transferred, and Shared over the Network. • Examples of ―Content‖ Awareness is the understanding of: – Email contents, including the attachments – Social, IM and P2P Network Communications – Document Contents – Application Relationships with Database Queries and Responses – Database Monitoring – Data Leakage – Sensitive Information within chat, email, printed, etc
  • 7. Adding Context to Logs DNS name, Windows name, Other names? What else happened at this time? Whois info? Organization owner? Where does Near this time? the IP originate from (geo location info)? What What is the time zone? else happened on this host? Which other hosts did this IP communicate with? What is this service? What other messages did it produce? What other systems does it run on? Log record What is the hosts IP address? Who is this user? What is the users Other names? Location on the access-level? What is the users network/datacenter? real name, department, location? What is this port? Is this a Who is the admin? Is this What other events from this user? normal port for this system vulnerable to exploits? service? What else is this service being used for? What does this number mean? Is this documented somewhere?
  • 8. Broad Content and Context Correlation Authentication Application & IAM Events from Contents Security Devices User Identity Device & Application Log Files Malware Insider Advanced Viruses Threats Threats Trojans Exploits Database Transactions Location OS events VA Scan Data
  • 9. SIEM and Situational Awareness • SIEM DOES NOT SOLVE APT, but Provides Situational Awareness – THERE IS NO APT ―ALL IN ONE SOLUTION‖ • SIEM Can Help with Attacks – Determining the Scope of Attack • What Systems or Devices were Involved • What DATA was Compromised • What Evasion Techniques were Utilized • Timelines • Toolsets Utilized • Work Flows and Processes of Attackers – Heuristics for Historical Correlation • Even with SIEM, Security Expertise and Experience is REQUIRED – Well Trained Security Analysts, Highly Developed Security Policies and Procedures Combined with SIEM for Situational Awareness is the BEST Strategy for dealing with Exploits, Low and Slow Attacks and APT
  • 10. Scalability & Performance • Unmatched Speed – Industry’s Fastest SIEM – 100x to 1,000x faster than current solutions – Queries, correlation and analysis in minutes, not hours • Unmatched Scale – Collect all relevant data, not selected sub-sets – Analyze months and years of data, not weeks – Include higher layer context and content information – Scales easily to billions of data records
  • 11. NitroView Overview “Single Pane-of-Glass” McAfee ESM McAfee ELM McAfee Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available McAfee ADM McAfee DEM McAfee ACE  Application Data Monitor  Database Activity Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical Correlation Application Visibility Data Visibility Risk Scoring 100s of applications and 500+ document types Data traffic from leading databases Detect potential threats  Asset information/context  Vulnerability Information  Which assets are most at-risk 11 September 18, 2012
  • 12. Global Threat Intelligence (GTI) ESM ELM Receiver  Unified Visibility & Analysis  Log Management  3rd Party Log/Event Collection  Compliance & Reporting  Compliant Log Storage  Network Flow Data Collection  Policy Management  SAN/CIFS/NFS/Local Storage  VMware Receivers Available ADM DEM ACE  Application Data Monitor  Database Event Monitor  Advanced Correlation  Layer 7 Decode  Database Log Generation  Risk-Based Correlation  Full Meta-Data Collection  Session Audit  Historical Correlation Shared Threat Intelligence Application Visibility Data Visibility Risk Scoring • Reputation-based  WW visibility into all types of cyber threats • Automatic, push feed • Today – Bad Actors/Dangerous IPs • Additional GTI capabilities: • file, web, message & network connection reputation • web categorization 12 September 18, 2012
  • 13. How can SIEM help with MTTR? • Advanced Correlation uses activity to determine Risk
  • 14. How can SIEM help with MTTR? • Baselines to determine deviations from normal activity
  • 15. How can SIEM help with MTTR? • Normalization of events into a common taxonomy
  • 16. How can SIEM help with MTTR? • Global Threat Intelligence to determine if I have any communication with external known bad actors
  • 17. 17